The SG 200-10 is fine for this purpose. It should act as a switch, with the inside ports for your Primary and Failover ASA, along with the Packetshaper, all on the same VLAN. You can use the default SG 200 configuration for this as it should have all ports belonging to the default VLAN 1 from the factory.
You may want to configure the switch ports as access mode (default is trunk) and set up a non-default IP address and credentials to manage the switch remotely. As noted in the Administration Guide, it has a default IP address of 192.168.1.254 and userid / password of cisco / cisco.
Thanks for response - is much appreciated. Still have one question on setting up management access. Currently our management Vlan is Native Vlan 1. If I connect a VLAN 1 port back to my internal network - will I not in essence be permitting the PIX traffic to escape back to my internal network via Vlan 1 instead of just passing traffic from PIX to Shaper?
Well, traffic wouldn't 'escape' really but a better design would be to create a VLAN that is only assigned on the ports connecting the ASAs' inside interfaces and the Packetshaper. You would then need a separate VLAN if you wish to remotely manage the SG 200 switch.
However, your questions have led beyond the initial one about how to make it work and into your overal network design and operations approach.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...